Get out the shredder: medical records found in garden shed

Written by Kate McDonald on 15 July 2014.

A Melbourne medical centre has been found to have committed a breach of the Privacy Act when it failed to properly secure or dispose of old medical records that were discovered in a garden shed after a break-in.

Pound Road Medical Centre (PRMC) had operated a medical centre at a site in Narre Warren South for a number of years before moving to a new location, but unintentionally left behind medical records for 960 patients along with other sensitive documents such as batched Medicare vouchers and invoices for payments made.

The majority of the records related to individuals who ceased to be active patients of the practice principal prior to 2004. In that year, the practice installed Medical Director and began to scan in paper records and other paper correspondence. Scanned files were kept in a locked room.

When PRMC moved to new premises in 2012, it transferred some of the old records from the locked room to the garden shed at the back of the site so renovations could occur.

PRMC said it did not recognise at the time that the moved documents included some health records. The old files were discovered in the garden shed after a break-in in November last year.

Privacy Commissioner Timothy Pilgrim said physical security of hard copy documents was just as important as digital security.

“There is no point in converting paper records to a secure digital system, and then leaving the paper files unsecured,” Mr Pilgrim said. “If paper records are no longer needed, they should be disposed of securely.”

It is a requirement under the Privacy Act that organisations securely destroy or de-identify personal information that is no longer required.

“Get out the shredder or hire a secure document destruction service,” Mr Pilgrim said. “If you don’t, you’re putting your clients at risk of identity theft or fraud, and your company at risk of enforcement action.”

Mr Pilgrim noted the seriousness of the breach in that the records contained full names, addresses, dates of birth and Medicare numbers as well as diagnoses and hospital discharge summaries.

While the practice did not believe any patient records were being stored, it did know that other sensitive information such as invoices and payments to other healthcare providers was being stored in the shed. Even if there were no health records, the practice's obligation to securely destroy or identify personal information that was no longer required would still have applied.

“The Privacy Act requires organisations to take reasonable steps to protect the personal information of their customers,” he said. “I can’t think of any circumstances in which it would be reasonable to store health records, or any sensitive information, in an insecure temporary structure such as a garden shed.”

As the breach occurred under the old National Privacy Principles and before the new Australian Privacy Principles came into effect in March, the medical centre has not been penalised for the breach.

Instead, it has instituted a number of rectification strategies including undertaking a risk assessment, organising privacy training for all staff and developing a data breach response plan for potential incidents in the future.

However, under the new privacy principles it could have been fined. And with mandatory data breach legislation likely to be debated again this year – it was delayed last year due to the federal election – fines could have been applied as the practice did not notify any of the patients that their data may have been breached.